[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lists-bincimap
Subject:    Re: [bincimap] cipher list argument
From:       Andreas Aardal Hanssen <bincimap () andreas ! hanssen ! name>
Date:       2003-04-22 23:16:21
[Download RAW message or body]

On Tue, 22 Apr 2003, Bryan Christ wrote:
> Andreas,
> In your documentation, the "ca file" paramter is = "".  I currenlty have
> it pointing to /etc/openssl/cacert.pem where "cacert.pem" is the root CA
> certificate I created for myself.  Is that correct?

The CA file is supposed to be a list of certificate authorities, such as
the bundled ca-bundle.crt that comes with Red Hat. This is from what I
understand used to verify the client certificate (when verify peer = yes).
                                                                                      \
 Your cacert.pem file may be a pem encoded CA file, and if it is, then that
should work. By default, the CA file is set to "" simply because verify
peer by default is also "no".
                                                                                      \
 Usually, the server will have verify peer = no. This means that during the
initial SSL/TLS handshake, only the server's certificate is validated by
the client. In that case, all the server needs is a PEM encoded
certificate file (as generated by make server.pem in /usr/share/ssl/certs
when using Red Hat).
                                                                                      \
 Hope this helps,
                                                                                      \
 Andy :-)

> ---------- Original Message ----------------------------------
> From: Andreas Aardal Hanssen <bincimap@andreas.hanssen.name>
> Reply-To: Binc IMAP <lists-bincimap@infeline.org>
> Date: Mon, 21 Apr 2003 19:38:18 +0200 (CEST)
> 
> > On Wed, 16 Apr 2003, Bryan Christ wrote:
> > > Here is a detailed output from openssl with the -state and -debug args
> > > It is also clear from my maillog created by postfix that my pem key is useable:
> > 
> > I suspect that if you post this data to the OpenSSL mailing list, that
> > they will be of much greater help. The cipher list argument is passed as
> > is to the OpenSSL handler, so if it fails it's sort of out of my league.
> > 
> > The address is openssl-users@openssl.org.
> > 
> > I'm sure the OpenSSL guys can tell you what's wrong. :-)
> > 
> > Andy
> > 
> > -- 
> > Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg
> > Author of Binc IMAP    | Nil desperandum
> > 
> > 
> > 
> 

-- 
Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg
Author of Binc IMAP    | Nil desperandum


[prev in list] [next in list] [prev in thread] [next in thread]